Changeset 71280 in webkit


Ignore:
Timestamp:
Nov 3, 2010 4:41:09 PM (13 years ago)
Author:
oliver@apple.com
Message:

2010-11-03 Oliver Hunt <oliver@apple.com>

Reviewed by Gavin Barraclough.

Crash in Function.prototype.call.apply
https://bugs.webkit.org/show_bug.cgi?id=48485

The problem here was op_load_varargs failing to ensure that
there was sufficient space for the entire callframe prior to
op_call_varargs. This meant that when we then re-entered the
VM it was possible to stomp over an earlier portion of the
stack, so causing sub-optimal behaviour.

  • bytecode/Opcode.h:
  • bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitLoadVarargs):
  • bytecompiler/BytecodeGenerator.h:
  • bytecompiler/NodesCodegen.cpp: (JSC::ApplyFunctionCallDotNode::emitBytecode):
  • jit/JIT.cpp: (JSC::JIT::privateCompile):
  • jit/JITOpcodes.cpp: (JSC::JIT::emit_op_load_varargs):

2010-11-03 Oliver Hunt <oliver@apple.com>

Reviewed by Gavin Barraclough.

Crash in Function.prototype.call.apply
https://bugs.webkit.org/show_bug.cgi?id=48485

Test for applying arguments to call at the edge of
the allocated region of the registerfile.

  • fast/js/call-apply-crash-expected.txt: Added.
  • fast/js/call-apply-crash.html: Added.
  • fast/js/script-tests/call-apply-crash.js: Added. (testLog):
Location:
trunk
Files:
3 added
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/JavaScriptCore/ChangeLog

    r71272 r71280  
     12010-11-03  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Gavin Barraclough.
     4
     5        Crash in Function.prototype.call.apply
     6        https://bugs.webkit.org/show_bug.cgi?id=48485
     7
     8        The problem here was op_load_varargs failing to ensure that
     9        there was sufficient space for the entire callframe prior to
     10        op_call_varargs.  This meant that when we then re-entered the
     11        VM it was possible to stomp over an earlier portion of the
     12        stack, so causing sub-optimal behaviour.
     13
     14        * bytecode/Opcode.h:
     15        * bytecompiler/BytecodeGenerator.cpp:
     16        (JSC::BytecodeGenerator::emitLoadVarargs):
     17        * bytecompiler/BytecodeGenerator.h:
     18        * bytecompiler/NodesCodegen.cpp:
     19        (JSC::ApplyFunctionCallDotNode::emitBytecode):
     20        * jit/JIT.cpp:
     21        (JSC::JIT::privateCompile):
     22        * jit/JITOpcodes.cpp:
     23        (JSC::JIT::emit_op_load_varargs):
     24
    1252010-11-03  Kenneth Russell  <kbr@google.com>
    226
  • trunk/JavaScriptCore/bytecode/Opcode.h

    r69940 r71280  
    163163        macro(op_call_eval, 4) \
    164164        macro(op_call_varargs, 4) \
    165         macro(op_load_varargs, 3) \
     165        macro(op_load_varargs, 4) \
    166166        macro(op_tear_off_activation, 3) \
    167167        macro(op_tear_off_arguments, 2) \
  • trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

    r70496 r71280  
    16751675}
    16761676
    1677 RegisterID* BytecodeGenerator::emitLoadVarargs(RegisterID* argCountDst, RegisterID* arguments)
     1677RegisterID* BytecodeGenerator::emitLoadVarargs(RegisterID* argCountDst, RegisterID* thisRegister, RegisterID* arguments)
    16781678{
    16791679    ASSERT(argCountDst->index() < arguments->index());
     
    16811681    instructions().append(argCountDst->index());
    16821682    instructions().append(arguments->index());
     1683    instructions().append(thisRegister->index() + RegisterFile::CallFrameHeaderSize); // initial registerOffset
    16831684    return argCountDst;
    16841685}
  • trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.h

    r69940 r71280  
    351351        RegisterID* emitCallEval(RegisterID* dst, RegisterID* func, CallArguments&, unsigned divot, unsigned startOffset, unsigned endOffset);
    352352        RegisterID* emitCallVarargs(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* argCount, unsigned divot, unsigned startOffset, unsigned endOffset);
    353         RegisterID* emitLoadVarargs(RegisterID* argCountDst, RegisterID* args);
     353        RegisterID* emitLoadVarargs(RegisterID* argCountDst, RegisterID* thisRegister, RegisterID* args);
    354354
    355355        RegisterID* emitReturn(RegisterID* src);
  • trunk/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r70496 r71280  
    537537                generator.emitNode(args->m_expr);
    538538
    539             generator.emitLoadVarargs(argsCountRegister.get(), argsRegister.get());
     539            generator.emitLoadVarargs(argsCountRegister.get(), thisRegister.get(), argsRegister.get());
    540540            generator.emitCallVarargs(finalDestinationOrIgnored.get(), realFunction.get(), thisRegister.get(), argsCountRegister.get(), divot(), startOffset(), endOffset());
    541541        }
  • trunk/JavaScriptCore/jit/JIT.cpp

    r70111 r71280  
    478478
    479479        addPtr(Imm32(m_codeBlock->m_numCalleeRegisters * sizeof(Register)), callFrameRegister, regT1);
    480         registerFileCheck = branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().
    481         m_end), regT1);
     480        registerFileCheck = branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().m_end), regT1);
    482481    }
    483482
  • trunk/JavaScriptCore/jit/JITOpcodes.cpp

    r70703 r71280  
    16671667    int argCountDst = currentInstruction[1].u.operand;
    16681668    int argsOffset = currentInstruction[2].u.operand;
     1669    int registerOffset = currentInstruction[3].u.operand;
     1670    ASSERT(argsOffset <= registerOffset);
     1671   
    16691672    int expectedParams = m_codeBlock->m_numParameters - 1;
    16701673    // Don't do inline copying if we aren't guaranteed to have a single stream
     
    16961699    // Bounds check the registerfile
    16971700    addPtr(regT2, regT3);
     1701    addPtr(Imm32((registerOffset - argsOffset) * sizeof(Register)), regT3);
    16981702    addSlowCase(branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().m_end), regT3));
    16991703
  • trunk/LayoutTests/ChangeLog

    r71278 r71280  
     12010-11-03  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Gavin Barraclough.
     4
     5        Crash in Function.prototype.call.apply
     6        https://bugs.webkit.org/show_bug.cgi?id=48485
     7
     8        Test for applying arguments to call at the edge of
     9        the allocated region of the registerfile.
     10
     11        * fast/js/call-apply-crash-expected.txt: Added.
     12        * fast/js/call-apply-crash.html: Added.
     13        * fast/js/script-tests/call-apply-crash.js: Added.
     14        (testLog):
     15
    1162010-11-03  Dimitri Glazkov  <dglazkov@chromium.org>
    217
Note: See TracChangeset for help on using the changeset viewer.